change pdf url, add rss

.env

@@ -22,3 +22,4 @@ PUBLIC_DOMAIN=crescentec.ch
 
 # Personal info
 EMAIL=chris.windler@crescentec.ch
+MAIN_SERVER_NODE_IP=100.64.0.1:443

docker-compose.yml

@@ -6,7 +6,7 @@
 # Whenever I need to remove some service then I can comment out the lines here. 
 include:
   - path:
-#      - ${SERVICE_PATH}/caddy/caddy.yml
+      - ${SERVICE_PATH}/caddy/caddy.yml
       - ${SERVICE_PATH}/headscale/headscale.yml
       - ${SERVICE_PATH}/watchtower/watchtower.yml
     env_file: ${SERVICE_PATH}/.env

services/caddy/Caddyfile

@@ -0,0 +1,189 @@
+(forward_headers) {
+        header {
+                Permissions-Policy interest-cohort=()
+                Strict-Transport-Security "max-age=31536000; includeSubdomains"
+                X-XSS-Protection "1; mode=block"
+                X-Content-Type-Options "nosniff"
+                X-Robots-Tag noindex, nofollow
+                Referrer-Policy "same-origin"
+                Content-Security-Policy "frame-ancestors {$public_domain }} *.{$public_domain}"
+                -Server
+                Permissions-Policy "geolocation=(self {$public_domain }} *.{$public_domain}), microphone=()"
+        }
+}
+
+auth.{$public_domain} {
+	reverse_proxy {$main_server_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+audiobookshelf.{$public_domain} {
+	reverse_proxy {$main_server_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+gitea.{$public_domain} {
+        reverse_proxy {$main_server_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+headscale.{$public_domain} {
+        reverse_proxy headscale:8080
+        tls {$email}
+        import forward_headers
+}
+
+immich.{$public_domain} {
+	reverse_proxy {$main_server_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+ldap.{$public_domain} {
+	reverse_proxy {$main_server_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+linkwarden.{$public_domain} {
+	reverse_proxy {$main_server_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+mealie.{$public_domain} {
+	reverse_proxy {$main_server_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+navidrome.{$public_domain} {
+	reverse_proxy {$main_server_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+ntfy.{$public_domain} {
+	reverse_proxy {$main_server_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+paperless.{$public_domain} {
+	reverse_proxy {$main_server_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+radicale.{$public_domain} {
+	reverse_proxy {$main_server_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+rss.{$public_domain} {
+	reverse_proxy {$main_server_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+pdf.{$public_domain} {
+	reverse_proxy {$main_server_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+superset.{$public_domain} {
+	reverse_proxy {$main_server_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+vaultwarden.{$public_domain} {
+	reverse_proxy {$main_server_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+vikunja.{$public_domain} {
+	reverse_proxy {$main_server_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+{$public_domain} {
+        reverse_proxy {$main_server_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}

services/caddy/caddy.yml

@@ -0,0 +1,30 @@
+services:
+  caddy:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: caddy 
+    container_name: caddy 
+    volumes:
+      - ${SERVICE_PATH}/caddy/config:/etc/headscale
+      - ${SERVICE_PATH}/caddy/Caddyfile:/etc/caddy/Caddyfile
+      - ${SERVICE_PATH}/caddy/site:/srv
+      - ${SERVICE_PATH}/caddy/data:/data
+      - ${SERVICE_PATH}/caddy/config:/config
+      - ${SERVICE_PATH}/caddy/certs:/certs
+    ports:
+      - "80:80"
+      - "443:443"
+      - "443:443/udp"
+    environment:
+      email: ${EMAIL}
+      public_domain: ${PUBLIC_DOMAIN}
+      private_domain: ${LOCAL_DOMAIN}
+      main_server_ip: ${MAIN_SERVER_NODE_IP:-10.10.10.2}
+    cap_add:
+      - NET_ADMIN
+    networks:
+      - ip4net
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"

services/headscale/config-template.yaml.j2

@@ -10,13 +10,13 @@
 #
 # https://myheadscale.example.com:443
 #
-server_url: http://127.0.0.1:8080
+server_url: {{ headscale_server_url }} 
 
 # Address to listen to / bind to on the server
 #
 # For production:
-listen_addr: 0.0.0.0:8080
 #listen_addr: 127.0.0.1:8080
+listen_addr: {{ headscale_listen_addr }}
 
 # Address to listen to /metrics and /debug, you may want
 # to keep this endpoint private to your internal network
@@ -77,7 +77,7 @@ derp:
   server:
     # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
     # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
-    enabled: false
+    enabled: true 
 
     # Region ID to use for the embedded DERP server.
     # The local DERP prevails if the region ID collides with other region ID coming from
@@ -276,7 +276,7 @@ dns:
   # `base_domain` must be a FQDN, without the trailing dot.
   # The FQDN of the hosts will be
   # `hostname.base_domain` (e.g., _myhost.example.com_).
-  base_domain: example.com
+  base_domain: {{ headscale_base_domain }} 
 
   # Whether to use the local DNS settings of a node or override the local DNS
   # settings (default) and force the use of Headscale's DNS configuration.
@@ -285,10 +285,7 @@ dns:
   # List of DNS servers to expose to clients.
   nameservers:
     global:
-      - 1.1.1.1
-      - 1.0.0.1
-      - 2606:4700:4700::1111
-      - 2606:4700:4700::1001
+      - {{ dns_nameserver }}
 
       # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
       # "abc123" is example NextDNS ID, replace with yours.

services/headscale/headscale.yml

@@ -10,9 +10,10 @@ services:
       - ${SERVICE_PATH}/headscale/lib:/var/lib/headscale
       - ${SERVICE_PATH}/headscale/run:/var/run/headscale
     ports:
-      - 0.0.0.0:1000:8080 # api 
-      - 0.0.0.0:1001:9090 # metrics
+      - 127.0.0.1:8080:8080 # api 
+      - 127.0.0.1:9090:9090 # metrics
     command: serve
+    environment:
     networks:
       - ip4net
     labels: